Basics Settings Antivirus Signature Providers

Signature Providers

Third party signatures allow you to enhance the virus detection rate of ClamAV.

• These signature providers are independant from Danami therefore we have no control over them. Make sure to watch for false positives after enabling a new provider.
• When a provider is enabled the provider URLs will be added to Settings -> Signature Updates -> DatabaseCustomURL. Signature update logs can be found under Logs -> Signature Log. • Provider files are downloaded to the /var/lib/clamav/ directory. Warden will delete the matching database from this directory when it is de-selected or when the provider is disabled.
• The ClamAV daemon will use over 1 GB of memory with all the providers enabled so make sure your server has enough memory before enabling any providers.

SaneSecurity

SaneSecurity is a set of free signatures focusing on 0-day and 0-hour malware, which means that it includes hashes of new malicious files being sent by e-mail. It contains signatures for malicious URLs, common spam and phishing messages and generic signatures which detect some commonly types of techniques used in malware, such as exe files with a double extenstion (for example pdf.exe), exe files hidden in ISO files and often abused functions in MS Office macros. Sanesecurity also distributes signatures from other sources, such as phishing URLs from phishtank.com.

sanesecurity_enable - sanesecurity_enable
Enable or disable the SaneSecurity signature provider.
Default: 0

sanesecurity_provider_url - sanesecurity_provider_url
The base URL of this signature provider.
Default: https://ftp.swin.edu.au/sanesecurity/

sanesecurity_provider_files - sanesecurity_provider_files
The signature database files to download from this provider.
Default: badmacro.ndb blurl.ndb bofhland_cracked_URL.ndb bofhland_malware_attach.hdb bofhland_malware_URL.ndb bofhland_phishing_URL.ndb foxhole_filename.cdb foxhole_generic.cdb foxhole_js.cdb foxhole_js.ndb hackingteam.hsb junk.ndb jurlbl.ndb jurlbla.ndb lott.ndb malwarehash.hsb phish.ndb phishtank.ndb porcupine.ndb rogue.hdb scam.ndb shelter.ldb spamattach.hdb spamimg.hdb spear.ndb spearl.ndb winnow.attachments.hdb winnow_bad_cw.hdb winnow_extended_malware.hdb winnow_extended_malware_links.ndb winnow_malware.hdb winnow_malware_links.ndb winnow_phish_complete_url.ndb winnow_spam_complete.ndb

File	Description	False Positive Risk
`badmacro.ndb`	Blocks dangerous macros embedded in word/excel/xml/rtf/js documents.	medium
`blurl.ndb`	Blocklisted full urls over the last 7 days, covering malware/spam/phishing. URLs added only when main signatures have failed to detect but are known to be bad.	low
`bofhland_cracked_URL.ndb`	Spam URLs.	low
`bofhland_malware_attach.hdb`	Malware URLs.	low
`bofhland_malware_URL.ndb`	Phishing URLs.	low
`bofhland_phishing_URL.ndb`	Malware Hashes.	low
`foxhole_filename.cdb`	Block certain commonly known malware filenames within Zip, Rar, 7z, Arj and Cab archives.	low
`foxhole_generic.cdb`	Block double extensions of certain dangerous filetypes that are contained within Zip, Rar, 7Zip, Arj and Cab files. These files will be detected only if they end in dangerous filestypes such as: pif, scr, exe, com, bat, cmd, vbs, lnk, cpl and vb.	low
`foxhole_js.cdb`	Block most JavaScript (.js) files within Zip, Rar archived. To help minimise false positives, this database will only scan small sized Zip and Rar files.	medium
`foxhole_js.ndb`	Block ALL JavaScript (.js) files within GZip and Ace archives.	medium
`foxhole_mail.cdb`	Block any mail that contain a possible dangerous attachments such as: js, jse, exe, bat, com, scr, uue, ace, pif, jar, gz, lnk, lzh.	low
`hackingteam.hsb`	Hacking Team hashes converted to ClamAV format.	low
`junk.ndb`	General high hitting junk, containing spam/phishing/lottery/jobs/419s etc.	low
`jurlbl.ndb`	Junk URL based.	low
`jurlbla.ndb`	Junk URL based autogenerated from various feeds.	medium
`lott.ndb`	Lottery spam.	medium
`malwarehash.hsb`	Malware hashes without known size.	low
`phish.ndb`	Phishing and malware.	low
`phishtank.ndb`	Online and valid phishing URLs from phishtank.com data feed.	low
`porcupine.ndb`	Sha256 Hashes of VBS and JSE malware (kept for 7 days).	low
`rogue.hdb`	Malware, rogue anti-virus software and fake codecs etc. Updated hourly to cover the latest malware threats.	low
`scam.ndb`	Scam spam.	low
`shelter.ldb`	Phishing and malware.	low
`spamattach.hdb`	Spam attachments such as pdfs/docs/rtf/zips.	low
`spamimg.hdb`	Spam images.	low
`spear.ndb`	Spear phishing email addresses.	medium
`spearl.ndb`	Spear phishing URLs.	medium
`winnow.attachments.hdb`	Spammed attachments such as pdf’s/docs/rtf/zips.	low
`winnow_bad_cw.hdb`	Md5 hashes of malware attachments acquired directly from a group of botnets.	low
`winnow_extended_malware.hdb`	Hand generated signatures for malware.	low
`winnow_extended_malware_links.ndb`	Hand generated signatures for malware links.	medium
`winnow_malware.hdb`	Current virus, trojan and other malware not yet detected by ClamAV.	low
`winnow_malware_links.ndb`	Links to malware.	low
`winnow_phish_complete_url.ndb`	Phishing and other malicious URLs and compromised hosts.	medium
`winnow_spam_complete.ndb`	Signatures to detect fraud and other malicious spam.	medium

SecuriteInfo

SecuriteInfo say that their ClamAV definitions add 4,000,000 signatures for malware and spam not detected by the official ClamAV signatures. There is a free feed of the signatures available which has signatures older than 30 days. For up-to-date 0-day malware detection, you will need one of their paid plans.

Sign up for a free account: https://www.securiteinfo.com/clients/customers/signup. You will receive an email to activate your account and then a followup email with your login name.
Login and navigate to your customer account: https://www.securiteinfo.com/clients/customers/account then click on the setup tab.
You will need to get your unique customer id hash from one of the download links, they are individual for every user. You must replace the YOUR_API_KEY in the Warden provider URL with the customer ID hash that they privide you e.g.
Provider URL: https://www.securiteinfo.com/get/signatures/7f3a2506d23443342225c8c345345a14ce545645645644564534534a3f6b89ce51fd6d/
Paid plans can add the securiteinfo.mdb and securiteinfo0hour.hdb files from the SecuriteInfo provider files select list to download additional generic and 0-hour anti-virus signatures. Users can purchase the SecuriteInfo signatures here after creating an account, logging in, and pressing the subscribe button in the client area.

SecuriteInfo recommends setting the options below for the best detection while still avoiding too many false positives when using their signatures:

Go to the Warden -> Settings -> Anti-virus Settings page.
Check Detect possible unwanted apps.
Enter the following in the Exclude possible unwanted apps textarea then press the update button to save the page and then the restart button to restart the ClamAV daemon:
```
PUA.Win.Packer
PUA.Win.Trojan.Packed
PUA.Win.Trojan.Molebox
PUA.Win.Packer.Upx
PUA.Doc.Packed
```

securiteinfo_enable - securiteinfo_enable
Enable or disable the SecuriteInfo signature provider.
Default: 0

securiteinfo_provider_url - securiteinfo_provider_url
The base URL of this signature provider. You must replace YOUR_API_KEY with your customer id provided after signing up at SecuriteInfo.
Default: https://www.securiteinfo.com/get/signatures/YOUR_API_KEY/

securiteinfo_provider_files - securiteinfo_provider_files
The signature database files to download from this provider.
Default: securiteinfoandroid.hdb securiteinfoascii.hdb securiteinfohtml.hdb javascript.ndb securiteinfopdf.hdb securiteinfo.hdb securiteinfo.ign2

File	Description
`javascript.ndb`	Javascript malware.
`securiteinfo.hdb`	Executable malware more recent than one year (exe, com, dll).
`securiteinfo.ign2`	Checksums of false positives or common files. Mandatory use for any usage.
`securiteinfo.mdb`	Generic signatures of malwares (paid subscription only).
`securiteinfo0hour.hdb`	Malware that appeared on the Internet in the past hour (paid subscription only).
`securiteinfoandroid.hdb`	Android malware.
`securiteinfoold.hdb`	One year old malware (optional usage). Use it if you are not limited in resources (RAM/CPU).
`securiteinfoascii.hdb`	Text file malware (Perl or shell scripts, bat files, exploits).
`securiteinfohtml.hdb`	HTML malware.
`securiteinfopdf.hdb`	PDF malware and spam.

URLhaus

URLhaus from abuse.ch is a collection of URLs of sites distributing malware.

urlhaus_enable - urlhaus_enable
Enable or disable the URLhaus signature provider.
Default: 0

urlhaus_provider_url - urlhaus_provider_url
The base URL of this signature provider.
Default: https://urlhaus.abuse.ch/downloads/

urlhaus_provider_files - urlhaus_provider_files
The signature database files to download from this provider.
Default: urlhaus.ndb

File	Description
`urlhaus.ndb`	A collection of URLs of sites distributing malware.